The Kenya Data Protection Act, 2019

The President signed into law the Kenya Data Protection Act, 2019 on 8th November 2019.
The Data Protection Act is an answer due to the increased call for protection of both personal and private information, which may be readily and easily accessible in this digital era.
The Act regulates how data and information may be accessed, processed, stored, transmitted and used within legal parameters in Kenya.
In this digital era, data and information are vital in driving the economy of the global economy; thus, data is an emerging resource that must be carefully utilised and protected.
The Data Protection Act outlines the principles of data protection modelled on the principles set out in the EU General Data Protection Regulation 2016/679 (GDPR) which is the EU law on data protection and privacy applicable in the European Union and the European Economic Area.
The Data Protection Act:
- breathes life to the right to privacy contained in Article 31(c) and (d) of the Constitution;
- creates the Office of the Data Protection Commissioner;
- regulate the processing of personal data;
- Articulates the rights of data subjects; and
- Provide for the obligations of Data Controllers and processors.

Principles of Data Protection

A Data Controller refers to a natural or legal person, public authority, agency or other bodies which determine the purpose and means of the processing of personal data.
A Data Processor refers to a natural or legal person, public authority, agency or any other entity that processes the personal data on behalf of the Data Controller.
The processing of personal data must follow the principles set out in section 25 of the Data Protection Act. Data Controllers and Data Processors must observe these principles while processing personal data:
- Adherence to the right of the data subject to privacy;
- Lawfulness, fairness and transparency;
- Purpose limitation, i.e. processing personal data for explicit, specified and legitimate purposes;
- Principle of data minimisation, i.e. personal data should be adequate, relevant, and limited to what is necessary for the data processing purposes;
- Accuracy. Personal data should be up to date, and reasonable steps taken to ensure that any inaccuracy is erased or rectified without delay;
- Provide the data subject with valid explanation whenever information relating to family or private affairs is required.
- Storage limitation, i.e. personal data should not be kept for periods longer than the purposes it was collected for;
- Personal data is not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.

Rights of Data Subjects

The Data Protection Act defines a Data Subject as an identified or identifiable natural person who is the subject of personal data.
A Data Subject has a right to know how the Data Collectors or Data Processors will use the data and have access to their private data, which is held by a Data Processor or a Data Controller.
Also, a Data Subject has the right to object to or oppose the processing of all or part of their private data, request for correction of false or misleading data, and deleting of false or misleading data about them.
A Data Processor or Data Controller may process a Data Subject’s data, despite their objection, if they prove there exists a compelling legitimate interest that overrides the subject’s interest or the processing of personal data is in the exercise of or defence of a legal claim.
Section 37(2) provides a safety net to protect the Data Subject’s data from being used for commercial purposes by Data Processors and Data Controllers in a manner that exposes the Data Subject’s identity.

Conditions of Consent

The Data Protection Act emphasises on the importance of protection of privacy and personal data. Section 32 of the Act sets down the condition under which personal data is to be collected; a Data Collector or Data Controller bears the burden of proving that consent was obtained from the Data Subject before personal data is collected and processed.

Children Protection

Children are vulnerable members of society; hence the government is keen at protecting children’s data from illegal access or from being misused. Section 33 of the Data Protection Act obliges Data Processors and Data Controllers not to process a child’s private and personal data unless they obtain consent from the child’s parent or guardian. The Data Processor or Controller must ensure that they process children data in a manner that protects their rights and in the best interest of the child.
To ensure adherence to the laws regarding the protection of children’s rights, section 33(2) of the Act requires Data Processors and Data Controllers to put in place mechanisms for age verifications and consent before a child’s data is processed.

Data Retention

The Act does not prescribe the duration for which Data Processors and Data Controllers may keep personal data. Section 39 of the Act permits Data Controllers and Data Processors can keep personal data for as long as it is reasonable and necessary to satisfy the intended purposes for the collection. The duration for which Data Controllers and Data Processors may keep personal data is a reasonable time to accomplish their mission.
Data Controllers and Data Processors may retain personal data after accomplishing their purpose. However, they may only retain personal data if they prove that they are authorised by law to maintain the data. The Data Controllers and Data Processors should only keep personal data for reasonable and lawful purposes after seeking the consent of the Data Subject.
Data Controllers and Data Processors are obliged to dispose of the personal data after fulfilling the purpose of collecting the data.

Protection of Sensitive Personal Data

Section 44 of the Act prohibits the processing of sensitive personal data unless the processing of the data adheres to the principles of data protection. In Kenya, data that reveal the health status of a person is sensitive. The Data Commissioner has been vested with powers to specify other categories of personal data that are sensitive.
The Data Protection Act restricts the collection, processing, and retention of sensitive personal data. Any person wishing to collect and retain sensitive personal data must prove that the data is being collected under the responsibility of a health care provider, or by a person who is obligated by law to keep the information secret.

Protection against the transfer of Personal Data outside Kenya

Section 49 of the Data Protection Act prohibits the processing of sensitive personal data out of Kenya. Data Processors and Data Controllers will only be allowed to process sensitive personal data outside the country after obtaining express consent from the Data Subject and after getting confirmation of appropriate safeguards. In addition to obtaining approval and guarantee, the Data Commissioner may request the person transferring the personal data to another country to demonstrate security safeguards or the existence of compelling legitimate interests.
The Data Commissioner has additional powers to ensure the protection of fundamental rights of Data Subjects through prohibition, suspension, or subjecting the transfer of the personal data to conditions that will provide the security of the data subject’s fundamental rights.

The Data Commissioner

The office of the Data Commissioner is vested with broad powers to receive complaints, conduct investigations, and implement notices. The Commissioner may also seek assistance from other law enforcement agencies in discharging their duties.

Penalties under the Data Protection Act

A person who contravenes the provisions of the Data Protection Act is liable to a fine not exceeding three million Kenya shillings (KShs.3,000,000), or imprisonment for a term not exceeding ten years, or to both upon conviction.

Way forward

To operationalise the Data Protection Act, the Government of Kenya must now set up the Office of the Data Commissioner and also publish the required Data Protection subsidiary legislation.

Dr. Benjamin Musau

I am a Kenyan Advocate and the Managing Partner of B M Musau & Co., Advocates, a position I have held since 1999. My work encompasses regulatory reforms, reduction of administrative burdens, the structure of business entities, joint ventures, acquisitions, banking, foreign investment and other general corporate areas

Principles of Data Protection

Rights of Data Subjects

Conditions of Consent

Children Protection

Data Retention

Protection of Sensitive Personal Data

Protection against the transfer of Personal Data outside Kenya

The Data Commissioner

Penalties under the Data Protection Act

Way forward

Write a comment:

Cancel reply

Business Laws Transformation: How the Business Laws (Amendment) Bill, 2024 Will Shape Investment and Trade in Kenya

An Executive Summary of the Kenya Children (Guardianship) (Practice and Procedure) Rules 2024

B M Musau & Company, Advocates LLP Quarterly Newsletter, Issue 1, Q4 2024

A Comprehensive Analysis of the Food and Feed Safety Control Co-ordination Bill, 2023

Kenya Income Tax (Donations and Charitable Organisations Exemption) Rules, 2024

The Types of Taxes Payable in Conveyancing Transactions in Kenya

Understanding the Tax Procedures (Amendment) Bill, 2024: What It Means for Taxpayers

Kenya’s Shift in NGO Regulation: Unpacking the Differences Between Non-Governmental Organizations Act and Public Benefits Organization Act

Principles of Data Protection

Rights of Data Subjects

Conditions of Consent

Children Protection

Data Retention

Protection of Sensitive Personal Data

Protection against the transfer of Personal Data outside Kenya

The Data Commissioner

Penalties under the Data Protection Act

Way forward

Write a comment:

Related content